Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Confirmaci#U00f3n de pago_shrunk.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	3.539492620386482
Filename:	Confirmaci#U00f3n de pago_shrunk.exe
Filesize:	208896
MD5:	5f249a857aa4ec0d7811cbe49b1eac0e
SHA1:	9bc2fed4cf1f677c009ba9c0c224e15a07ee8dd4
SHA256:	e97a53902ccc623ff61147e3b7cb7e9abf77e8a61a401a317891ffaf73a7338a
SHA512:	021890218f651a97b7f2d3a490def666e3a70a55e40355a91ce912eaff80c60728a582128220d8ccc07653d6a131f6bef42892907153b6f25b52ecce22fbfc5c
SSDEEP:	1536:SD8LRJrCwGizMmnLU/lmOfsxdPTWQ7ZnbXnD630VD1:SQdJrCwG7Wo/lmOfsxdrWQFXWEVD1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................................#... ...@....@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirmaci#U00f3n de pago_shrunk.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirmaci#U00f3n de pago_shrunk.exe.log
Category:	dropped
Dump:	Confirmaci#U00f3n de pago_shrunk.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe
Type:	CSV text
Entropy:	5.345615485833535
Encrypted:	false
Ssdeep:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
Size:	847
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe

"C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3020
Target ID:	0
Parent PID:	4084
Name:	Confirmaci#U00f3n de pago_shrunk.exe
Path:	C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe
Commandline:	"C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe"
Size:	208896
MD5:	5F249A857AA4EC0D7811CBE49B1EAC0E
Time:	12:51:21
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb00000
Modulesize:	139264
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3780
Target ID:	2
Parent PID:	3020
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	12:51:23
Date:	25/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd80000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/

unknown

https://api.telegram.org

unknown

https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocument

149.154.167.220

http://transfer.adttemp.com.br

unknown

https://account.dyn.com/

unknown

http://transfer.adttemp.com.brd

unknown

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://transfer.adttemp.com.br

unknown

https://transfer.adttemp.com.br/cCoB5/anonymous.txt

104.196.109.209

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

transfer.adttemp.com.br

104.196.109.209

Details

Name:	transfer.adttemp.com.br
IP:	104.196.109.209
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.196.109.209

transfer.adttemp.com.br

United States

Details

IP:	104.196.109.209
TargetID:	0
Current Path:	C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	transfer.adttemp.com.br

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Confirmaci#U00f3n de pago_shrunk_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileDirectory

There are 19 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

313E000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

315A000

trusted library allocation

page read and write

30F1000

trusted library allocation

page read and write

3F89000

trusted library allocation

page read and write

556E000

trusted library allocation

page read and write

5BA6000

trusted library allocation

page read and write

63B8000

heap

page read and write

1210000

heap

page read and write

5BB0000

trusted library allocation

page execute and read and write

5B8C000

trusted library allocation

page read and write

FDE000

heap

page read and write

66F0000

heap

page read and write

5B90000

heap

page read and write

4119000

trusted library allocation

page read and write

300A000

trusted library allocation

page read and write

620E000

stack

page read and write

11B1000

heap

page read and write

1170000

heap

page read and write

1075000

heap

page read and write

595E000

stack

page read and write

12A0000

heap

page read and write

2D5F000

stack

page read and write

5ADE000

stack

page read and write

317B000

trusted library allocation

page read and write

2E5C000

stack

page read and write

2FFA000

trusted library allocation

page read and write

2F70000

heap

page execute and read and write

65CE000

stack

page read and write

3142000

trusted library allocation

page read and write

1476000

heap

page read and write

556A000

trusted library allocation

page read and write

1496000

trusted library allocation

page execute and read and write

14A0000

trusted library allocation

page read and write

FB3000

heap

page read and write

6590000

trusted library allocation

page execute and read and write

62AE000

stack

page read and write

40F1000

trusted library allocation

page read and write

5F2E000

stack

page read and write

2F81000

trusted library allocation

page read and write

5350000

heap

page execute and read and write

66CE000

stack

page read and write

2BE7000

trusted library allocation

page execute and read and write

5B50000

trusted library allocation

page read and write

313C000

trusted library allocation

page read and write

5571000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

30E0000

heap

page execute and read and write

118E000

stack

page read and write

69CE000

stack

page read and write

149A000

trusted library allocation

page execute and read and write

5B80000

trusted library allocation

page read and write

7F0A0000

trusted library allocation

page execute and read and write

55F0000

heap

page execute and read and write

1480000

trusted library allocation

page read and write

1325000

heap

page read and write

11AF000

heap

page read and write

5562000

trusted library allocation

page read and write

67F0000

heap

page read and write

3146000

trusted library allocation

page read and write

302E000

trusted library allocation

page read and write

F7E000

heap

page read and write

2D70000

heap

page read and write

63B0000

heap

page read and write

15C0000

heap

page read and write

63D0000

heap

page read and write

150E000

stack

page read and write

1200000

trusted library allocation

page read and write

141E000

stack

page read and write

2BF0000

trusted library allocation

page read and write

2BF2000

trusted library allocation

page read and write

5590000

trusted library allocation

page read and write

F20000

heap

page read and write

306E000

stack

page read and write

1139000

stack

page read and write

55DE000

stack

page read and write

606E000

stack

page read and write

634E000

stack

page read and write

3169000

trusted library allocation

page read and write

5650000

heap

page read and write

400000

remote allocation

page execute and read and write

FA4000

heap

page read and write

1320000

heap

page read and write

B02000

unkown

page readonly

1490000

trusted library allocation

page read and write

2C10000

trusted library allocation

page read and write

B16000

unkown

page readonly

2F5E000

stack

page read and write

56DE000

stack

page read and write

648C000

stack

page read and write

14C0000

trusted library allocation

page read and write

30AC000

stack

page read and write

5582000

trusted library allocation

page read and write

3014000

trusted library allocation

page read and write

6AE0000

heap

page read and write

3000000

trusted library allocation

page read and write

5556000

trusted library allocation

page read and write

65C0000

trusted library allocation

page read and write

60CE000

stack

page read and write

5BFD000

stack

page read and write

2EC8000

trusted library allocation

page read and write

65D0000

trusted library allocation

page read and write

F97000

heap

page read and write

1203000

trusted library allocation

page execute and read and write

1024000

heap

page read and write

2BF7000

trusted library allocation

page execute and read and write

658E000

stack

page read and write

563C000

stack

page read and write

585E000

stack

page read and write

30B0000

heap

page read and write

52D0000

trusted library allocation

page read and write

555E000

trusted library allocation

page read and write

1290000

heap

page read and write

1201000

heap

page read and write

5A9E000

stack

page read and write

B00000

unkown

page readonly

51ED000

stack

page read and write

5C6E000

stack

page read and write

30D0000

trusted library allocation

page execute and read and write

531E000

stack

page read and write

1464000

trusted library allocation

page read and write

66E0000

heap

page read and write

3156000

trusted library allocation

page read and write

65B7000

trusted library allocation

page read and write

5540000

trusted library allocation

page read and write

123F000

heap

page read and write

2C5E000

stack

page read and write

F30000

heap

page read and write

2BE0000

trusted library allocation

page read and write

11A4000

heap

page read and write

F70000

heap

page read and write

2BE2000

trusted library allocation

page read and write

581E000

stack

page read and write

F50000

heap

page read and write

571D000

stack

page read and write

14A5000

trusted library allocation

page execute and read and write

1038000

heap

page read and write

65A0000

trusted library allocation

page read and write

30FA000

trusted library allocation

page read and write

5B59000

trusted library allocation

page read and write

5BDF000

stack

page read and write

1070000

heap

page read and write

5530000

trusted library allocation

page read and write

5550000

trusted library allocation

page read and write

61CD000

stack

page read and write

1510000

heap

page read and write

1463000

trusted library allocation

page execute and read and write

6ACF000

stack

page read and write

658C000

stack

page read and write

2BFB000

trusted library allocation

page execute and read and write

6433000

heap

page read and write

557D000

trusted library allocation

page read and write

644D000

stack

page read and write

5640000

heap

page read and write

65B0000

trusted library allocation

page read and write

2F60000

heap

page read and write

B14000

unkown

page readonly

11CE000

stack

page read and write

5ACF000

stack

page read and write

1204000

trusted library allocation

page read and write

5BA0000

trusted library allocation

page read and write

15B0000

trusted library allocation

page read and write

30ED000

trusted library allocation

page read and write

2BEA000

trusted library allocation

page execute and read and write

59CE000

stack

page read and write

120D000

trusted library allocation

page execute and read and write

598E000

stack

page read and write

2F60000

trusted library allocation

page read and write

1259000

heap

page read and write

1058000

heap

page read and write

5643000

heap

page read and write

584C000

stack

page read and write

148D000

trusted library allocation

page execute and read and write

14AB000

trusted library allocation

page execute and read and write

1470000

heap

page read and write

4159000

trusted library allocation

page read and write

3003000

trusted library allocation

page read and write

3F81000

trusted library allocation

page read and write

1450000

trusted library allocation

page read and write

301B000

trusted library allocation

page read and write

599E000

stack

page read and write

64EE000

stack

page read and write

68CE000

stack

page read and write

5B0D000

stack

page read and write

2D60000

trusted library allocation

page execute and read and write

66D0000

heap

page read and write

131F000

stack

page read and write

14A2000

trusted library allocation

page read and write

55A0000

trusted library allocation

page read and write

5F6E000

stack

page read and write

14A7000

trusted library allocation

page execute and read and write

EF8000

stack

page read and write

1492000

trusted library allocation

page read and write

1179000

heap

page read and write

11F0000

trusted library allocation

page read and write

555B000

trusted library allocation

page read and write

5576000

trusted library allocation

page read and write

3176000

trusted library allocation

page read and write

559E000

stack

page read and write

30F8000

trusted library allocation

page read and write

630E000

stack

page read and write

146D000

trusted library allocation

page execute and read and write

588E000

stack

page read and write

5E2E000

stack

page read and write

5330000

trusted library allocation

page read and write

6B20000

heap

page read and write

3012000

trusted library allocation

page read and write

BBC000

stack

page read and write

5D6C000

stack

page read and write

6AF0000

trusted library allocation

page execute and read and write

1039000

stack

page read and write

302A000

trusted library allocation

page read and write

There are 202 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Confirmaci#U00f3n de pago_shrunk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportConfirmaci#U00f3n de pago_shrunk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Confirmaci#U00f3n de pago_shrunk.exe